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Abstract — In this paper, we consider the problem of con- 
structing a finite bisimulation quotient for a discrete-time 
switched linear system in a bounded subset of its state space. 
Given a set of observations over polytopic subsets of the state 
space and a switched linear system with stable subsystems, 
the proposed algorithm generates the bisimulation quotient 
in a finite number of steps with the aid of sublevel sets of 
a polyhedral Lyapunov function. Starting from a sublevel set 
that includes the origin in its interior, the proposed algorithm 
iteratively constructs the bisimulation quotient for any larger 
sublevel set. The bisimulation quotient can then be further used 
for synthesis of the switching law and system verification with 
respect to specifications given as syntactically co-safe Linear 
Temporal Logic formulas over the observed polytopic subsets. 

I. INTRODUCTION 

In recent years, there has been a trend to bridge the gap 
between control theory and formal methods. Control theory 
allows for analysis and control of "complex" dynamical sys- 
tems with infinite state spaces, such as systems of controlled 
differential equations, against "simple" specifications, such 
as stability and reachability. In formal methods, "simple" 
systems, such as finite transition systems, are checked against 
"complex" (rich and expressive) specification languages, 
such as temporal logics. Recent studies show that certain 
classes of dynamical systems can be abstracted to finite 
transition systems. Applications in robotics [1], multi-agent 
control systems [2], and bioinformatics [3] show that model 
checking and automata games can be used to analyze and 
control systems with non-trivial dynamics from specifica- 
tions given as temporal logic formulas. 

In this paper, we focus on switched linear systems made 
of stable subsystems, and show that a finite bisimulation 
abstraction of the system can be efficiently constructed 
within some relevant, bounded subset of the state space. 
Since the bisimulation quotient preserves all properties that 
are expressible in frameworks as rich as /i-calculus, and 
implicitly Computation Tree Logic (CTL) and Linear Tem- 
poral Logic (LTL) (see e.g., [4]-[6]), it can be readily used 
for system verification and controller synthesis against such 
specifications. We show how our method can be used for 
both controller synthesis and verification from specifications 
given as arbitrary formulas of a fragment of LTL, called syn- 
tactically co-safe LTL (scLTL). For controller synthesis, we 
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find the largest set of initial states and switching sequences 
such that all system trajectories satisfy a given formula. For 
verification, we find the largest set of initial states such that 
all system trajectories satisfy the formula under arbitrary 
switching. 

The concept of constructing a finite quotient of an in- 
finite system has been widely studied, e.g., [7]-[9]. It is 
known that finite state bisimulation quotients exist only 
for specific classes of systems (e.g., timed automata [9] 
and controllable linear systems [7]), and the well known 
bisimulation algorithm [4] in general does not terminate [10]. 
Approximately bisimilar finite abstractions for continuous- 
time switched systems were constructed under incremental 
stability assumptions in [11]. For piecewise linear systems, 
guided refinement procedures were employed with the goal 
of constructing the quotient system for verification of certain 
properties [8], [10]. 

We propose to obtain a finite bisimulation quotient of the 
system in a computationally feasible manner by only consid- 
ering the system behavior within a relevant state space that 
does not contain the origin, i.e., in between two positively 
invariant compact sets that contain the origin. Our approach 
relies upon the existence of a polyhedral Lyapunov function, 
which is a necessary condition for stability under arbitrary 
switching, see, e.g., [12]. We propose to partition the state 
space by using sublevel sets of the Lyapunov function. Such 
sublevel sets, which are polytopic, allow us to generate 
the bisimulation quotient incrementally as the abstraction 
algorithm iterates, with no "holes" in the covered state space. 
Since we can obtain polytopic sublevel sets of any size from 
the Lyapunov function, the balance between the size of the 
abstracted state space and the amount of computation can be 
easily adjusted and controlled. Starting from the observation 
that the existence of the Lyapunov function renders the origin 
asymptotically stable for the switched system, its trajectories 
can only spend a finite time in the region of interest. As a 
result, we restrict our attention to LTL specifications that can 
be satisfied in finite time, such as scLTL formulas. 

This paper is a natural, but non-trivial extension of our 
recent work [13], in which we used polytopic sublevel sets 
to generate a bisimulation quotient for a discrete autonomous 
linear system. Another conceptually related work is [14], 
where n Lyapunov functions were used for the abstrac- 
tion of n-dimensional continuous -time Morse-Smale systems 
(e.g., hyperbolic linear systems) to timed automata. The 
abstraction proposed therein is weaker than bisimulation, 
but it can be used to verify safety properties. While both 
[14] and this work use sublevel sets for abstraction, the 
main difference between [14] and this approach comes from 



the usage of polyhedral Lyapunov functions, and therefore 
different classes of systems for which the methods apply. Our 
approach removes the need for multiple orthogonal Lyapunov 
functions, and we argue that it allows for a more tractable 
implementation since the abstraction of timed automata is 
expensive by itself [9], and polytopic sublevel sets ensure that 
the abstraction algorithm requires only polytopic operations. 

The rest of the paper is organized as follows. We introduce 
preliminaries in Sec. [IT] and formulate the problem in Sec. Ill 
We present the algorithm to generate the bisimulation quo- 
tient in Sec. IV and we show in Sec. [V] how the resulting 
bisimulation quotient can be used to synthesize switching 
control laws and verify the system behavior against temporal 



logic formulas. Conclusions are summarized in Sec. VI 



II. PRELIMINARIES 

For a set <S, int(<S), |<S|, and 2 s stand for its interior, 
cardinality, and power set, respectively. For A G M and 
S C R n , let \S := {Ax | x G S}. We use R, R + , Z, and 
Z + to denote the sets of real numbers, non-negative reals, 
integer numbers, and non-negative integers. For m, n G Z + , 
we use R n and R mxn to denote the set of column vectors 
and matrices with n and mxn real entries. For a vector v or a 
matrix A, we denote v T or A T as its transpose, respectively. 

For a vector x G R n , [x]i denotes the i-th element of 
x and H^Hoo = max^=i 5 ... ?n denotes the infinity norm 
of x, where I • I denotes the absolute value. For a matrix 



denote its induced 



ZeR'x™, let H^Hoo := sup^ ^f 
matrix infinity norm. 

A n-dimensional poly tope V (see, e.g., [15]) in R n can be 
described as the convex hull of n + 1 affinely independent 
points in R n . Alternatively, V can be described as the 
intersection of k, where k > n + 1, closed half spaces, i.e., 
there exists k > n + 1 and Hp G R /exn , hp G R fc , such that 



V = {x G R n | H v x < hp}. 



(1) 



We assume polytopes in R n are n-dimensional unless 
noted otherwise. The set of boundaries of a poly tope V 
are called facets, denoted by f(V), which are themselves 
(n— 1) -dimensional polytopes. A semi-linear set (also called 
a polyhedron in literature) in R n is defined as finite unions, 
intersections and complements of sets {x G R n | a T x ~ 
b, ~G {=,<}}, for some a G R n and b G R. Note that 
a convex and bounded semi-linear set is equivalent to a 
polytope with some of its facets removed. 

A. Transition systems and bisimulations 

Definition 2.1: A transition system (TS) is a tuple T = 
>-,ll, h), where 

• Q is a (possibly infinite) set of states; 

• E is a set of inputs; 

• — ^ Q x E x Q is a set of transitions; 

• II is a finite set of observations; and 

• h : Q — > 2 n is an observation map. 

We denote x-^x' if (x, a, a/) G— K We assume T to be non- 
blocking, i.e., for each x G Q, there exists x f e Q and 
<j G E such that x^W. An ftz/?^ word is defined as an 



infinite sequence a = cfqcfi . . . where cr k G E for all fc G Z + . 
A trajectory of T produced by an input word a = cfqcfi . . . 
and originating at state xq is an infinite sequence x = xqXi... 
where Xk for all k G Z + . A trajectory x generates 

a word o = oqOi..., where = h(xk) for all fc G Z + . 

The TS T is finite if \Q\ < oo and |E| < oo, otherwise T 
is infinite. Moreover, T is deterministic if x-^x' implies that 
there does not exist x" ^ x' such that x-^x"; otherwise, T 
is called non-deterministic. Given a set X C Q, we define 
the set of states Pre7~(X, a) that reach X in one step when 
input a is applied as 



Pre r (X,cr) :={xeQ | 3^ G X^Ax 7 }. 



(2) 



States of a TS can be related by a relation ~C QxQ. For 
convenience of notation, we denote x ~ x f if (x,x f ) e~. The 
subset X C Q is called an equivalence class if x, x' G X <^> 
x ~ x 7 . We denote by Q/~ the set labeling all equivalence 
classes and define a map eq : Q/„ \-> 2® such that eq(X) 
is the set of states in the equivalence class X G 

Definition 2.2: We say that a relation ~ is observation 
preserving if for any x,x f e Q, x ~ x' implies that /i(x) = 
h(x'). 

Definition 2.3: A finite partition P of a set 5 is a finite 
collection of sets P := {Pi}iei, such that yj ie iPi = 5 and 



Pi n Pi 



if i 7^ j. A finite refinement of P is a finite 



partition P' of 5 such that for each Pi G P' ', there exists 
Pj G P such that Pi C P^. 

A partition naturally induces a relation, and an observation 
preserving relation induces a quotient TS. One can immedi- 
ately verify that a refinement of an observation preserving 
partition is also observation preserving. 

Definition 2.4: An observation preserving relation ~ of a 
TS T = (Q, E, — II, /i) induces a quotient transition system 
T/~ = (Q/~, E, —^,11, /i^), where Q/~ is the set labeling 
all equivalence classes. The transitions of T/~ are defined 
as X^rJY if and only if there exists x G eq(X) and x' G 
eq(y) such that x^rx 1 . The observation map is defined as 
h^(X) := h(x), where x G eq(X). 

Definition 2.5: Given a TS T = (Q, E, — II, ft), a rela- 
tion ~ is a bisimulation relation of T if (1) ~ is observation 
preserving; and (2) for any xi,x 2 G Q,a G E, if xi ~ x 2 
and xi^x^, then there exists x 2 G Q such that x 2 ^>x 2 and 

If ~ is a bisimulation, then the quotient transition system 
T/~ is called a bisimulation quotient of T. In this case, 
T and T/~ are said to be bisimilar. Bisimulation is a 
very strong equivalence relation between systems. In fact, 
it preserves properties expressed in temporal logics such 
as LTL, CTL and /i-calculus [4]-[6]. As such, it is used 
as an important tool to reduce the complexity of system 
verification or controller synthesis, since the bisimulation 
quotient (which may be finite) can be verified or used for 
controller synthesis instead of the original system. 

B. Polyhedral Lyapunov functions 

Consider an autonomous discrete-time system, 

Xk+i = ®(x k ), k G Z + , (3) 



where x k G W 1 is the state at the discrete-time instant k and 
$ : R n H> R n is an arbitrary map with $(0) = 0. Given a 
state x e W 1 , x f := §(x) is called a successor state of x. 

Definition 2.6: Let A G [0, 1]. We call a set P C R n A- 
contractive (shortly, contractive) if for all x G V it holds that 
&(x) G AP. For A = 1, we call P a positively invariant set. 

Theorem 2.1: Let A' be a positively invariant set for ([3} 
with G int(Af). Furthermore, let ai,«2 G /Coo, P £ (0, 1) 
and V : R n ^ R + such that: 



ai(||a?||)<y(x)<a 2 (M),VxeAf, 
V($(x)) < pV(x),\Jx G Af. 

Then system ^ is asymptotically stable in X. 
The proof of Thm. |2.l|can be found in [16], [17]. 



(4) 
(5) 



Definition 2.7: A function V : R n \-+ R + is called a 
Lyapunov function (LF) in X if it satisfies ([4} and ([5]). If 

= R n , then V is called a global Lyapunov function. 

The parameter p is called the contraction rate of V. For 
any T > 0, P r := {x G R n | V(x) < T} is called a sublevel 
set of V. 

For the remainder of this paper we consider LFs defined 
using the infinity norm, i.e., 



V(x) = \\Lx\\ c 



L e 



pZ X n 



, I > n, I G Z_|_, 



(6) 



where L has full-column rank. Notice that infinity norm Lya- 
punov functions are a particular type of polyhedral Lyapunov 
functions. We opted for this type of function to simplify 
the exposition but in fact, the proposed abstraction method 
applies to general polyhedral Lyapunov functions defined by 
Minkowski (gauge) functions of polytopes in R n with the 
origin in their interior. 

Proposition 2.1: Suppose that L eR lxn has full-column 
rank and V as defined in ^ is a global LF for system ([3} 
with contraction rate p G (0, 1). Then for all T > it holds 
that Vr is a polytope and G hit (TV)- Moreover, if $(#) 
takes values arbitrarily from a set {Ax \ A e A} for some 
polyhedral set A C R nxn , then for all T > it holds that 
Vr is a p-contractive polytope for ([3]). 

The proof of the above result is a straightforward appli- 
cation of results in [12], [18]. 

III. PROBLEM FORMULATION 

In this paper, we consider discrete-time switched linear 
systems, i.e., 



x k+1 = A^ k )X k , o-(k) G E, k G Z+, 



(7) 



where tr : Z + — ^ E is a switching sequence that selects the 
active subsystem from a finite index set E and Ai G R nxn is 
a strictly stable (i.e., Schur) matrix for all z G E. We assume 
that a global polyhedral Lyapunov function (LF) of the form 
([6]) with contraction rate p G (0, 1) is known for system ([7]). 

Let X be 3. polytope X := {x \ \\Lx\Ioq < Fx} and V be 
a polytope V := {x \ \\LxWoq < T^}, where L corresponds 
to the poly topic LF ^ of system ^ and we assume that 
< T v < T x . Note that V C X and G int(X>) C int(Af). 
We call X the working set and V the target set. We are 



interested in synthesis of control strategies and verification 
of the system behavior within X with respect to polytopic 
regions in the state space, until the target set V is reached 
(since V is positively invariant, the system trajectory will be 
confined within V after V is reached). 

We assume that there exists a set 1Z of polytopes indexed 
by a finite set R, i.e., 1Z := {7Zi}ieR, where 7Zi C X \ V 
for all i G R, and 1Zi D 1Z j = for any i ^ j. The set 7£ 
represents regions of interest in the relevant state space, and 
the polytopes in 1Z are considered as observations of ([7]). 
Therefore, informally, a trajectory of ([7]) xqXi . . . produces 
an infinite sequence of observations oqO\ . . such that 0{ is 
the index of the polytope in 1Z visited by state xu or oi = 
if Xi is in none of the polytopes. 

Example 3.1: Consider a system as in 0, E = {1,2}, 
/-0.65 0.32 \ A A ( 0.65 0.32 \ ^ 
Al= V-0.42 -0.92 J and ^ 2 = V-0.42 -O.92} The 
algorithm proposed in [12] is employed to construct a global 
polytopic LF of the form ([6]), where 

-0.0625 0.6815 0.9947 0.9947 \ T 
1 1 0.6868 -0.0678yl ' 



L 



and p = 0.94. We chose Tx = 10 and T v = 5.063. (see 
Fig. [T] for polytopes X, V, and a set of polytopes 1Z.) 

The semantics of the system can be formalized through 
an embedding of ([7]) into a transition system, as follows. 

Definition 3.1: Let X, V, and 1Z = {7Zi}ieR be given. 
The embedding transition system for (|7j is a transition 
system T e = (Q e , E, — >- e , II, h e ) where 

• Q e = {x G R n \x G X}\ 

• E is the same as the index set given in Eqn ([7]); 

• 1) If x e X \ V, then x-^ e x' if and only if x' = A a x, 

i.e., x' is the state at the next time-step after applying 
the dynamics of ([7]) at x when subsystem a is active; 
2) If x G V, x-^ e x for all a G E (since the target set £> 
is already reached, we consider the behavior of the 
system thereafter no longer relevant); 

• II = R U {11^)}, i.e., the set of observations is the set 
of labels of regions, plus the label Ut> for V\ 

• 1) h e (x) := i if and only if x G IZf, 

2) h e [x) := if and only if x G X \ (V U U iGjR 

3) fe e (x) := IIx) if and only if x G P. 

Note that 7^ is deterministic and it has an infinite number of 
states. Moreover, T e exactly captures the system dynamics 
under ([7]) in the relevant state space X\V, since a transition 
of T e naturally corresponds to the evolution of the discrete- 
time system in one time-step. Indeed, within X \ V, the 
trajectory of T e produced by an input word a from a state 
x G X\V is exactly the same as the trajectory of system ([7]) 
from x under the switching sequence a. 

The state space of T e (which is the working set X) can 
be naturally partitioned as 

Px := j {KiheR, X\(Vu\jKi),v\. (8) 

The relation induced from partition Px is observation 



preserving (see Sec. |II-A| ). We now formulate the main 
problem considered in this paper. 

Problem 3.1: Let a system ([7]) with a polyhedral Lya- 
punov function of the form ([6]), sets X, V and {7Zi}ieR be 
given. Compute a finite observation preserving partition P 
such that its induced relation ~ is a bisimulation of the em- 
bedding transition system T e , and obtain the corresponding 
bisimulation quotient T e /~. 

Remark 3.1: The above assumptions on the sets X, V, 
and {7Zi}ieR are made for simplicity of presentation. The 
problem formulation and the approach described in the rest 
of the paper can be easily extended to arbitrary positively 
invariant sets X and V, i.e., not obtained as the sublevel 
sets of ([6]), by considering the largest sublevel set that is 
included in V and the smallest sublevel set that includes X 
(Tx> and V x can be made arbitrarily small and arbitrary large, 
respectively, so as to capture any compact relevant subset of 
R n ). Also, the set of polytopes of interest {7Zi}ieR can be 
relaxed to a finite set of linear predicates in x. 

IV. GENERATING THE BISIMULATION QUOTIENT 

Starting from a polyhedral Lyapunov function V(x) = 
Halloo with a contraction rate p = (0,1) as described in 
Sec. |II-B| for system ([7]), we first generate a sequence of poly- 
topic sublevel sets of the form V r '= {x G M n | ||£#||oo < 
T} as follows. Recall that X = Vv x and V = Vr^ for some 
< Tt> < r#. We define a finite sequence Y := Tq, . . . , Tjy, 
where 

r i+1 =p- 1 T i , z = 0,...,iV-2, (9) 

To := r v , T N := T x , and N := arg mm N {p- N T \ 
p~ N To > Fx}. This choice of N guarantees that Vr N _ 1 
is the largest sublevel set defined via ([9]) that is a subset of 
X. Since Tn is exactly Fx, Vv N is exactly X. 

The sequence f generates a sequence of sublevel sets 
Pr '•= Vr ■> • • • , Vr N • From the definition of the sublevel 
sets and f , we have that 

V Tq C...cVr N - (10) 
Next, we define a slice of the state space as follows: 



S i ~Pr i \'Pr i - 



, N. 



(11) 



For convenience, we also denote So := Vr Q (although <S is 
not a slice in between two sublevel sets). We immediately 
see that the sets {<Si}i=o,...,iv form a partition of X. Note 
that the slices are bounded semi-linear sets (see Sec. |n|. 
Example 4.1 (Example |3.1| continued): Consider 

11 in Eqn. d9 



system given in Example 3.1 



the 

and TV = 11 in Eqn. The 

= Vtq , • • • , Vt 1x are shown in 



polytopic sublevel sets Vr ' 
in Fig. [1] 

Proposition 4.1: Assume that the set of slices 
{<Si}i=o,...,iv is obtained from a sequence f satisfying 
([9]). Given a state x in the z-th slice, i.e., x G Si, where 
1 < i < N, its successor state (x f = A a x, a G E) satisfies 
x' G Sj for some j < i. 
Proof: 




Fig. 1: An example in R 2 of the working set X, the target 
set V (in brown), a set of observational relevant polytopes 
1Z = {7^i, 7^2, ^3} (in transparent green), sublevel sets with 
N = 11 and one slice 56 (in purple). 



we have that x' = A a x G pT v% = {x G R n \ WLxW^ < pTj 
for all a G E. From ([9]), we have pTi = T^_i. Therefore 
V Vi _ x = {x G W 1 1 IlLxlloo < T^i} implies that TV,-! = 
{xGl n | \\LxWoo < pTi} and hence Vr^, = pV Vl and 

G Vvi-x- From the definition of slices ( pT| ), G Sj for 
some j < i. ■ 

We now present the abstraction algorithm (see Alg. [TJ that 
computes the bisimulation quotient. In Alg. [T] we make use 
of two procedures ComputePre and Ref ineUpdate, which 
will be further explained below. The main idea is to start with 
Px (Eqn. ([8])), refine the partition according to {<Si}i=o,...,iv 
to guarantee that it is a refinement to both Px as in ^ and 
{*Si}i = o,...,Ar, and then iteratively refine according to the Pre 
operator (see Eqn. [2]). The first step, starting with Px, is 
necessary so that the partition is observation preserving. The 
second step guarantees that each element in the partition is 
included in a slice. The third step allows us to ensure that 
at iteration i of the algorithm, the bisimulation quotient for 
states within Vvi is completed. 

The procedure ComputePre (V, a) takes as input V, which 
is a bounded semi-linear set (e.g., a slice), and a G E, which 
is the switching input, and returns the set Pre*/;^, cr). If V 
is a polytope, then Pre-/;^, a) is computed as 



Pre Te (^,cr) = {x G . 



\H p A 



r x < hp}. (12) 



From Prop. 2.1 we have that are p- 



contractive. By the definition of a p-contractive set (Def. 2.6), 



In general, if V is a semi-linear set, then PYe<r e (P,cr) 
is also a semi-linear set and it can be computed via 
quantifier elimination [19]. In particular, Pre-/; (P, a) for 
a bounded semi-linear set V can be computed via a con- 
vex decomposition and repeated applications of fT2] ). This 
computation is discussed in more detail in [13]. Note that 
Comput ePre (V, cr) only requires polytopic operations. 

The procedure Ref ineUpdate (P, T, V, cr, q) (outlined in 
Alg. [2]) refines a partition P with respect to set V, where 
V = Comput ePr e (eq(#), cr). It then updates T. If P con- 
sists of only bounded semi-linear sets and V is a semi- 
linear set, then the resulting refinement P + consists of only 
bounded semi-linear sets. This fact allows us to always use 
Comput ePre(P, cr). 



Algorithm 1 Abstraction algorithm 



Input: System dynamics ([7]), polytopic LF V(x) = ||£:r||oo 
with a contractive rate p, sets X, V and {7Zi}ieR. 

Output: T e /~ as a bisimulation quotient of the embedding 
transition system T e and the corresponding observation 
preserving partition P. 
1: Obtain P x as in 

2: Generate the sequence of sublevel sets Pr = 
Pr , • • • , Vr N and slices <So, • • • , £tv as defined in([TT]). 

3: Set P = {0 C V 1 nP 2 \Vi e P*,P 2 e {<S;};=o,...,iv}. 

4: Initialize 7^/~ by setting Q e /~ as me set labeling 
Po. Set transitions only for the state q G Q e /~ wnere 
ec l(#) = <So = with q-^~ q for all cr G X. 

5: for each z = 0, . . . , N — 1 do 

6: Set T e /~ i+1 = T e /^ and P i+1 = P t . 

7: for each q G Q e /~; where eq(#) C <S^ do 

8: for each cr G E do 

9: Find P = Comput ePre(eq(g), a). 

10: Set [P i+ i,7^/^ i+1 ] = Ref ineUpdate 

(Pi+l,7;/^ i+1 ,P,cr, g). 

end for 
end for 
end for 

Return 7^/^ 



Proof: We show that at the end of z-th iteration, each 
transition originating at a state q G Q e /~ i+1 with eq(g) C 



and P?v as a solution to Prob. 3.1 



Algorithm 2 [P+, T + ] = Ref ineUpdate (P, T, P, a, g) 

Input: A TS T = (Q, E, II, ft), a partition P 
where eq(g') G P for all q' G Q, and V = 
Comput ePr e (eq(g), a) for some g G Q, cr G E. 
Output: P + is a finite refinement of P with respect to P, 
T + is a TS updated from T. 
l: Set P+ = P and T + = T. 
2: for all <?' G Q + such that eq(g') n P ^ do 
3: Replace q' in Q + by {^1,^2} and set eq(#i) = 

eq^HP, eq(g 2 )=eq(g')\P. 
4: Replace eq{q') in P + by {eq(#i), eq^)}- 
5: Replace each (<?', a', g") G^ + by {(<?;, a', g")}i=i,2. 
6: Add transition (#i,cr, to — 
7: end for 



The correctness of Alg. [T] will be shown by an inductive 
argument. Given a sublevel set Pp. and a partition P^ as 
obtained in Alg. [I] we define Pi as 



P, :={PGP,|PCP r J. 



(13) 



From Alg. [T] we see that Po partitions all the slices, and 
since Pi is a finite refinement of Po, we can directly see 
that Pi is a partition of Prv Let us define an embedding 
transition system T e (i) as a subset of T e with set of states 
{xeQ e \xe } and let us state the following result. 

Proposition 4.2: At the completion of the z-th iteration 
(of the outer loop) of Alg. [T] (where P^ + i is obtained), if 
induced by Pi as defined in ( [T3] ) is a bisimulation of T e (i), 
then induced by P i+ i is a bisimulation of 7^(z + 1). 



Pr- +1 satisfies the bisimulation requirement (Def. 2.5). By 
Prop. |4.1| for each x G Si+i and cr G E, x' = A a x must 
be in a slice with a lower index and thus x' G 7^(z). Let 
x G eq(#) G Pi. If x' G then we have x G P = 
Comput ePr e (eq(</' ), cr) (from step [9] of Alg. [T]) for some 

G Q e /~i- The Ref ineUpdate procedure replaces eq(g) 
with eq(^i) = eq(q)DV and eq(^) = e( l(#)\P> and updates 
T e /~ i+1 . We note from Eqn. ^ that for any x G eq(gi), 

= A G x G eq(g / ), thus for any x\,xi G eq(gi), x\ ~ x 2 , 
A a x\ ~ A a X2. Moreover, the same argument holds for any 
subset of eq(gi). Therefore, the transitions given in steps [5] 
and [6] of Alg. [2] satisfy the bisimulation requirement. On the 
other hand, if x' £ Si, then x' G Sj for some j < i and x 
is already in a set eq(q), where q^>~ i+1 eq(q f ) for some q' 
satisfying the bisimulation requirement. Therefore, step 9 of 
Alg. [T] provides exactly the transitions needed for all states 
in Si+i and thus, induced by P^+i is a bisimulation 

0fT e (z + l). ^ ■ 

Theorem 4.1: Alg. [T] returns a solution to Prob. 3J_ in 
finite time. 

Proof: From Alg. [2] we have that Pi is a refinement 
of P# for any i = 0, . . . , N. Therefore, P/v and its induced 
relation ~n are observation preserving. 

At step 4 of Alg.[l] we set g^>^ #, Va G E where eq(q) = 
V. From the definition of 7^, we see that since V is the only 
state, ~o induced by Po is a bisimulation of 7^(0). Using 
Prop. |4.2| and induction, at iteration TV — 1, we have that ~ N 
induced by P/v is a bisimulation of T e (N). Note that P/v 
is exactly P/v, Vr N is exactly X and T e (N) is exactly T e . 
Therefore induced by Pat is a bisimulation of T e - 

Finally, note that at each iteration z, the number of updated 
sets is finite as the partition Pi and the set of inputs E are 
finite. Therefore, the bisimulation quotient is finite and Alg.[T] 
completes in finite time. ■ 

Example 4.2 (Example |4.1| continued): Alg. [T] is ap- 
plied on the same setting as in Example |4.1| to compute the 
bisimulation quotient. P3 and Pn are shown in Fig. [2] 

V. TEMPORAL LOGIC SYNTHESIS AND 
VERIFICATION 

After we obtain a bisimulation quotient for system ([7]), 
we can solve verification and controller synthesis problems 
from temporal logic specifications such as CTL*, CTL and 
LTL. The asymptotic stability assumption implies that all 
trajectories of ([7]) sink in V. For this reason, we will focus 
on syntactically co-safe fragment of LTL, which includes all 
specifications of LTL where satisfactions of trajectories can 
be determined by a finite prefix. Since we are interested in 
the behavior of ([7]) until V is reached, scLTL is sufficiently 
rich as the specification language. 

A detailed description of the syntax and semantics of 
scLTL is beyond the scope of this paper and can be found in, 
for example, [20], [21]. Roughly, an scLTL formula is built 
up from a set of atomic propositions II, standard Boolean 
operators -> (negation), V (disjunction), A (conjunction), 



(a) (b) (c) 

Fig. 2: The observed regions are shown in transparent green in (a) and (b). (a) At the end of the third iteration (i = 2), 
the bisimulation quotient for states within Vr 3 is completed, which are shown in red and purple. In the forth iteration, the 
states within Vv lt \ T^r 3 will be partitioned according to Pre-/;^, a), V G £3. (b) £3 is shown in purple, and Pre7;(<S3, 1) 
and Prer e (*S3, 2) are shown in light and dark blue, (c) At the last iteration where i = 10, the algorithm is completed. The 
state space covered by the bisimulation quotient is shown in red, covering all of X. 



(implication) and temporal operators X (next), U (until) and 
F (eventually). The semantics of scLTL formulas is given 
over infinite words o = o§o\ . . ., where Oi G 2 n for all i. 
We write o 1= <fi if the word o satisfies the scLTL formula 
(j). We say a trajectory q of a transition system T satisfies 
scLTL formula (/>, if the word generated by q (see Def. 2.1 
satisfies 6. 



Example 5.1: Again, consider the setting in Example [37T 
with 1Z = {7^i}i={i 5 2,3}- We now consider a specification 
in scLTL over {7^i, 7^ 2 , ^3, n^}. For example, the specifi- 
cation "A system trajectory never visits IZ2 and eventually 
visits 7Z\. Moreover, if it visits IZs then it must not visit 7Z\ 
at the next time step " can be translated to a scLTL formula: 

0:= (n^ 2 Un p )AF^iA((^ 3 ^X^i)UnD) (14) 

A. Synthesis of switching strategies 

In this section, we assume that we can choose the dynam- 
ics A a , a G E to be applied at each step k. Our goal is to 
find a set of initial states and a switching sequence (i.e., a 
sequence of elements from E to be applied at each step) for 
each initial state such that all the corresponding trajectories 
of system ([7]) satisfy a temporal logic specification. Formally, 
we consider the following problem: 

Problem 5.1: Consider system ^ with a polyhedral Lya- 
punov function in the form of ([6]), sets X, V and {7Zi}ieR, 
and a scLTL formula (j) over R U {IId}. Find the largest 
set X s C X and a function Q : X s H> E* such that the 
trajectory of system ([7]) initiated from a state xq G X s under 
the switching sequence Q(xo) satisfies (j). 

As a switched system is deterministic, it produces a unique 
trajectory for a given initial state and switching sequence. 
This fact allows us to provide a solution to Problem |5.1| as 



an assignment of a switching sequence to each initial state. 
Our solution to Prob. |5.1| proceeds by finding a bisimulation 
quotient T e / ~ of the embedding transition system T e using 
Alg. [T] Then we translate to a Finite State Automaton 
(FSA), defined below. 



Definition 5.1: A deterministic finite state automaton 
(FSA) is a tuple A = (S A , S A o, E, 6 A , F A ) where 

• S A is a finite set of states; 

• S A o ^ *Sa is a set of initial states; 

• E is an input alpabet; 

• 5 A • S A x E — » S A is a transition function; 

• F A C S A is a set of final states. 

A word a = ao...ad-i over E generates a trajectory 
so . . . Sd, where so G S A o and 5(si,ai) = Si+i for all 
i = 0, . . . , d — 1. A accepts word a if Sd G F A . 

For any scLTL formula (j) over II, there exists a FSA A 
with input alphabet 2 n that accepts the prefixes of all and 
only the satisfying words [20], [22]. 

Definition 5.2: Given a transition system T — (Q, E, — » 
, II, h) and a FSA A = (Sa, $ao, 2 n , 8 A , F A ) , their product 
automaton, denoted by VA = T x A, is a tuple 7^*4 = 
(SW, Sp^c £, -^4, ^W) where 

• S<p A = Q x S A ; 

• Svao = X Sao', 

• -^va^ $VA x E x S-p A is the set of transitions, 
defined by: ((#, s), a, s')) G^p^ iff g-^x/ and 
<U0,%)) = s'\ 

• = Qx F A . 

We denote s-p^-^-p^s^ if (sp.4, a, Sp^) G^p^. A tra- 
jectory p = (#OjSo) ■ ■ ■ (<ZdjSd) of produced by in- 
put word tr = ao...cr^_i is a finite sequence such that 
(qo,s ) G 5p^ and (qk,s k ) ^va (<2/e+i, Sfc+i) for all 

= 0, . . . , d — 1. p is called accepting if (g^, s^) G Fp^. 

By the construction of from T and A, p produced 
by tr is accepting if and only if q = 77- (p) satisfies the 
scLTL formula corresponding to A [21], where 7r(p) is 
the projection of a trajectory p of VA onto T by simply 
removing the automaton part of the state in s-p A G S-p A . 

We construct the product VA between the quotient tran- 
sition system T e /~ obtained from Alg. [T] and FSA A 
corresponding to specification formula <j). By performing a 
graph search on VA, we can find the largest subset Sj> A of 



S-pA and a feedback control function ftp A : S^ A \-> E such 
that the trajectories of VA originating in S^ A in closed loop 
with ft-pA reach F-p A . Then, we define the set of satisfying 
initial states of system ([7]) from Sj> A as 

X S = {eq(q) \ (q, s) € (S VM D (15) 

Since is deterministic, Q-pA defines a unique input 
word for each (go?so) £ ^.a- Moreover, an input word of 
VA directly maps to a switching sequence for system ([7]). 
Formally, the switching sequence ft : X s ^ E* is obtained 
by "projecting" Vt-pA fr° m to T as follows: 

= Qva((qo, so)) • • • SlvA((qd-i,s d -i)), (16) 

where a; G eg(g ), so G 5Uo, ^-PA 

(g*+i,s*+i), for each i = 0, . . . , d - 1 and (gd,s d ) G F-p^. 

Proposition 5.1: A' 5 as defined in Eqn. fj"5] ) and function 
1] as defined in Eqn. ([16]) solve Prob. |5.1| 

Proof: For each x G A' 5 , there exists (#o>so) G 
such that x G eq(^o) and s$ G S^o by Eqn. fj"5] ). By 
construction of and definition of ^ (Eqn. ([16])), the 
trajectory of T e /~ originating at qo and generated by input 
word Q(x) satisfies <fi. Then by bisimulation relation the 
trajectories of ([7]) originating in eq(qo) and generated by 
switching sequence Q(x) satisfy 0. 

We prove that X s is the largest set of satisfying initial 
states by contradiction. Assume that there exists xq ^ X s 
such that a trajectory x = x • • • %d originating at xq of ([7]) 
produced by switching sequence a = ao...ad-i satisfies 
(j), and xo G eq(qo) where qo G Q e /~. Then by the 
bisimulation relation 1) there exists a trajectory q = q . . . ^ 
of T e /~ such that G eq(^), ^ ^ e for all 

z = 0, . . . , d — 1 and x& G eq(^), 2) q satisfies 0. However, 
we know that on the product VA = T e /~ x A, F-p A is 
not reachable from {(qo,s)\s G £40 }• Hence, a trajectory 
p originating in {(qo,s) \ s G £40} cannot be accepting 
on VA, and by construction of VA [21] 7r e /^(p) as a 
trajectory of T e / ~ cannot satisfy formula </>, which yields 
a contradiction. ■ 

Example 5.2 (Example |5.1| continued): For the exam- 
ple specification </> fT4] ), we obtained the solution to Prob. 
|5.1| The FSA has 6 states and the quotient TS obtained from 
Alg. has 9677 states. The set of initial states X s is shown 
in Fig. [3] 

B. Verification under arbitrary switching 

Problem 5.2: Consider system ([7]) with a polyhedral Lya- 
punov function in the form of ([6]), sets X, V and {7Zi}ieR, 
and a scLTL formula <\> over R U {IT^}. Find the largest set 
X AS C X such that all trajectories of system ([7]) originating 
in X AS satisfy (j) under arbitrary switching. 

Note that system ([7]) under arbitrary switching is un- 
controlled and non-deterministic, i.e., at every time-step a 
subsystem is arbitrarily chosen from the set E. Therefore, we 
define an embedding transition system T e A = {Q e -> E A , — ^ 
, h e } for the arbitrary switching setup from the embedding 
transition system T e = {Q e , E, -^ e , ^e} (Def. |3.1| ) by adapt- 
ing the input set and the set of transitions as follows: 




Fig. 3: X s is shown in purple. X, V, {Hi}ieR and two 
sample trajectories are indicated by their labels. 



• ^ = {e}, 
We denote q — ^ 



I 3(7 G E,(g,cr,g') G^ e }. 

<?' if (q,c,q') G— ^. We use e 



as 



a "dummy" input because the transitions of T e are not 
controlled. Note that T e A is infinite and non-deterministic. 
Moreover, T A exactly captures dynamics of system ([7]) under 
arbitrary switching in the relevant state space X\V. 

Our solution to Prob |5.2| parallels the solution we proposed 
for Prob. |5.1| We first convert the bisimulation quotient T e / 
{Qe/~ 7 E,^ e j ~,h e j rJ\ of T e obtained from Alg. [T] 



/~,h e /r*} as follows: 



toT e A /~ = {Q e /~^ A ,^ e 
. E^ = {e}, 

• ->c /~ = {{q, e, ^) I 3a G E, (g, a, g') G^ e /-}• 
In this case, we have a particular bisimulation relation. The 
embedding and the quotient transition systems have a single 
input that labels all the transitions. 

Proposition 5.2: T e A / ' ~ is a bisimulation quotient of T A . 
Proof: Let q 1 ,q 2 G eq(g), q[ G eq(q') and q 1 -> A 
q[, where q,q' G Q e /~ and qi,q2,q[ G Q e - To prove the 
bisimulation property we need to show that there exists q 2 G 
eq(g') such that q 2 ~^- A q' 2 - 

If qi -^ A q[, then there exists a G E such that gi^> e #i, 
i.e., q[ = A a qi. Steps [9] and 10 of Alg. [T] guarantee that 
eq(#) ^ P re T e ( ec l(^ / )5 a )- Therefore, for all ^ G eq(g), 
^cr^i ^ eq(g / ), and hence for all G eq(g), ^ qj 
for some gj G eq(g / ). ■ 
Parallel to our solution to Prob. |5.1| we construct a FSA A 
corresponding to specification formula 0, and then we take 
the product VA A = (S$ A , Sfi A0 , E A ,->4,, F A A ) between 

Note that VA A is 



T e A / ~ and ^4 as described in Def. 
non-deterministic as T e A / ~ is non-deterministic. 



5.2 



To finally solve Prob. 5.2 we formulate the fixed point 
problem: 

J(sva) = min( J(sp^), max ^ J(s^) + 1), (17) 

initialized with J(sp A ) = 00 for all sp A G Sfi A \ F^ A and 
J(sva) = for all 57^4 G F^. 
Proposition 5.3: Let S^ A = {s<pa £ £7^4 I J{sva) < 



AS 



00} and define 
Then A'^ 5 solves Prob. HiU 



l(q) I (g,*) G (S^nS^)}. 



Proof: For each x G X AS , there exists (go^o) £ 
S^p S A such that x G eq(go) and so G 5Uo- The fixed 
point algorithm guarantees that every trajectory of VA A 
originating at (qo,so) reaches Ffi A . Then, construction of 
VA A and bisimulation relation guarantee that all of the 
trajectories of ([7]) originating in eq(go) satisfy (j). 

If xo £ X AS we need to show that there exists a trajectory 
x = xq . . . Xd of ([7]) that violates </>. Let xo G eq(go)- If 
xq X AS , then for all so G £40 there exists a trajectory 
p = (go, so) • • • s d) of 7^^4 A that can not reach F<p A , 
otherwise (go, so) would be included in Sfi A . Since p can not 
reach Ffi A , q = 7r(p) violates (j). By bisimulation property, 
there exists a trajectory x = x$...Xd of ([7]) that produces 
the same word as q, and hence x violates 0. ■ 
Example 5.3 (Example |5.1| continued): For the exam- 
ple s pecifi cation (j) as in fl4| ), we obtained the solution to 
and sample trajectories are shown in Fig. [i] 



5.2 X 



AS 



Prob. 

Note that this is a subset of the set of initial states found for 
the synthesis problem (see Fig [3}. 




Fig. 4: X AS is shown in purple. X, V, {7Zi}ieR and two 
sample trajectories are indicated by labeling. 

Remark 5.1 (Implementation): The methods described 
in this paper were implemented in MATLAB as a software 
packagq^] which uses the MPT toolbox [23] for polyhedral 
operations. Alg.[T]was completed in 2 hours for the example 
presented in the paper on an iMac with a Intel Core i5 proces- 
sor at 2.8GHz with 8GB of memory. Once the bisimulation 
quotient is constructed, controller synthesis and verification 
were both completed in 2 minutes. 

VI. Conclusions 

In this paper, we presented a method to abstract the 
behavior of a switched linear system within a positively 
invariant subset of R n to a finite transition system via 
the construction of a bisimulation quotient. We employed 
polyhedral Lyapunov functions to guide the partitioning of 
the state space and showed that the construction requires 
polytopic operations only. We showed how this method can 
be used to synthesize switching sequences and to verify 
the behavior of the system under arbitrary switching from 
specifications given as scLTL formulas over linear predicates 
in the state of the system. 
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